mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
test: ignore IAB capabilities in test-execute
libcap v2.33 introduces a new capability set called IAB[0] which is shown in the output of `capsh --print` and interferes with the test checks. Let's drop the IAB set from the output, for now, to mitigate this. This could be (and probably should be) replaced in the future by the newly introduced testing options[1][2] in libcap v2.32, namely: --has-p=xxx --has-i=xxx --has-a=xxx but this needs to wait until the respective libcap version gets a wider adoption. Until then, let's stick with the relatively ugly sed. Fixes: #15046 [0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7 [2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
This commit is contained in:
parent
908055f61f
commit
e9cdcbed77
@ -2,7 +2,7 @@
|
|||||||
Description=Test for CapabilityBoundingSet
|
Description=Test for CapabilityBoundingSet
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
CapabilityBoundingSet=~CAP_CHOWN
|
CapabilityBoundingSet=~CAP_CHOWN
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=no
|
PrivateDevices=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=no
|
PrivateDevices=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=no
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelLogs=no
|
ProtectKernelLogs=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelModules=no
|
ProtectKernelModules=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
Loading…
Reference in New Issue
Block a user